FS#59087 - [fail2ban] Please add systemd hardening
Attached to Project:
Community Packages
Opened by Francois (francoism90) - Wednesday, 20 June 2018, 14:11 GMT
Last edited by Doug Newgard (Scimmia) - Thursday, 21 June 2018, 16:53 GMT
Opened by Francois (francoism90) - Wednesday, 20 June 2018, 14:11 GMT
Last edited by Doug Newgard (Scimmia) - Thursday, 21 June 2018, 16:53 GMT
|
Details
Description:
It would be better to provide a more secure systemd service by default, by using a drop-in unit. The wiki mention how to do this, but still depend on user actions. e.g.: [Service] PrivateDevices=yes PrivateTmp=yes ProtectHome=read-only ProtectSystem=strict NoNewPrivileges=yes ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/log/fail2ban CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW Additional info: * fail2ban Steps to reproduce: * systemctl cat fail2ban.service Thanks. |
This task depends upon
Closed by Doug Newgard (Scimmia)
Thursday, 21 June 2018, 16:53 GMT
Reason for closing: Won't implement
Thursday, 21 June 2018, 16:53 GMT
Reason for closing: Won't implement
Comment by Doug Newgard (Scimmia) -
Thursday, 21 June 2018, 16:53 GMT
Arch doesn't override upstream service files with dropins by
default. This is an administrator action. If you want the service
file changed, talk to upstream.